You need to make a decision about who is going to control the data. You really want a model where the most information is collected by the fewest number of people, especially if you are going to collect payment information. In the data breach context, it is most often the smaller companies which are hacked as a means to get to the larger companies, so your policy needs to be set based on how much risk you are willing to assume.
If you are focused on customer information, you can handle that with a form and you definitely want that information in your files for future use. However, if you are collection credit card and similar payment data, then your best bet is to have that submitted directly to the payment processor so the burden is on them in case of a breach.